Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Moving devices across VLANs




If I use ICE to restrict access (what ports they communicate on, who can talk to them, etc) to certain devices while they are in VLAN 200 will I have to redo those rules from the ground up if I move those devices into VLAN 201?



Thanks in advance!




All replies rated.

VIP Collaborator

Re: Moving devices across VLANs

I would recommend checking out the admin guide and/or free tutorials on to gain additional information. However, to answer your question you can create one DACL under Policy->Policy Elements->Results->Authorization-> Downloadable ACLs and then create two separate authorization profiles that assign the respective vlan and the same dacl. Then you would obviously build your authz conditions in your policy set to match on each respective vlan and assign the corresponding authz profile you created for each vlan. Note that there is a lot more from a config standpoint on the switch side that needs to be in place in order for this work. Good luck & HTH!
Rising star

Re: Moving devices across VLANs

I assume you are referring to downloadable ACL's (dACL).  That would be the only way ISE can restrict access like that.  In that case, it depends on how you write your ACL.  If you are allowing traffic to IP's and ports outside of the VLAN, then nothing should change there.  If you are trying to restrict a user from communicating with another machine on the same VLAN, then that may have to change.  For example, let's say VLAN 200 is 192.168.200.x and VLAN 201 is 192.168.201.x.  You want to prevent a user on VLAN 200 from talking to other users on VLAN 200.  That ACL entry may be "deny ip any".  If you then move to VLAN 201, then you would also have to have an entry to cover the new subnet.  Just really depends on what you are looking to accomplish.